BeiNacht/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sun Nov 27 10:26:58 PM CET 2022

Browse Source
This commit is contained in:
Alexander Szczepanski
2022-11-27 22:26:58 +01:00
parent ee874eed20
commit 4f78fda23b
3 changed files with 143 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
configs/common-server.nix Normal file
View File

@ -0,0 +1,13 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
unstable = import <nixos-unstable> { config.allowUnfree = true; };
in {
imports = [ ../configs/common.nix ../configs/docker.nix ../configs/user.nix ];
fileSystems."/export/docker" = {
device = "/home/alex/docker";
options = [ "bind" ];
};
}

53
machine/vps.nix
View File

@ -3,28 +3,9 @@ let
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
unstable = import <nixos-unstable> { config.allowUnfree = true; };
configFile = pkgs.writeText "monero.conf" ''
log-file=/dev/stdout
data-dir=/var/lib/monero
rpc-bind-ip=127.0.0.1
rpc-bind-port=18081
enforce-dns-checkpointing=true
enable-dns-blocklist=true # Block known-malicious nodes
no-igd=true # Disable UPnP port mapping
no-zmq=true # ZMQ configuration
# bandwidth settings
out-peers=32 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays
in-peers=32 # The default is unlimited; we prefer to put a cap on this
'';
in {
imports = [
/etc/nixos/hardware-configuration.nix
../configs/common.nix
../configs/docker.nix
../configs/user.nix
];
imports =
[ /etc/nixos/hardware-configuration.nix ../configs/common-server.nix ];
boot.loader.grub = {
enable = true;
@ -32,11 +13,6 @@ in {
device = "/dev/sda"; # or "nodev" for efi only
};
fileSystems."/export/docker" = {
device = "/home/alex/docker";
options = [ "bind" ];
};
time.timeZone = "Europe/Berlin";
networking = {
@ -492,31 +468,6 @@ in {
};
};
# users.users.monero = {
# isSystemUser = true;
# group = "monero";
# description = "Monero daemon user";
# home = "/var/lib/monero";
# createHome = true;
# };
# users.groups.monero = { };
# systemd.services.monero = {
# description = "monero daemon";
# after = [ "network.target" ];
# wantedBy = [ "multi-user.target" ];
# serviceConfig = {
# User = "monero";
# Group = "monero";
# ExecStart =
# "${unstable.pkgs.monero-cli}/bin/monerod --config-file=${configFile} --non-interactive";
# Restart = "always";
# SuccessExitStatus = [ 0 1 ];
# };
# };
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;

128
machine/vps3.nix Normal file
View File

@ -0,0 +1,128 @@
{ config, lib, pkgs, ... }:
let
secrets = import ../configs/secrets.nix;
be = import ../configs/borg-exclude.nix;
unstable = import <nixos-unstable> { config.allowUnfree = true; };
in {
imports =
[ /etc/nixos/hardware-configuration.nix ../configs/common-server.nix ];
time.timeZone = "Europe/Berlin";
networking = {
hostName = "vpse"; # Define your hostname.
useDHCP = false;
interfaces.ens18 = { useDHCP = true; };
wireguard.interfaces = {
wg0 = {
ips = [ "10.100.0.1/24" ];
listenPort = 51820;
postSetup = ''
${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
postShutdown = ''
${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.100.0.0/24 -o ens3 -j MASQUERADE
'';
privateKey = secrets.wireguard-vps-private;
peers = [
{
publicKey = secrets.wireguard-desktop-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.2/32" ];
}
{
publicKey = secrets.wireguard-mini-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.3/32" "192.168.178.0/24" ];
}
{
publicKey = secrets.wireguard-mbp-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.4/32" ];
}
{
publicKey = secrets.wireguard-phone1-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.5/32" ];
}
{
publicKey = secrets.wireguard-raspberrypi-public;
presharedKey = secrets.wireguard-preshared;
allowedIPs = [ "10.100.0.6/32" ];
}
];
};
};
firewall = {
allowPing = true;
allowedTCPPorts = [
80 # web
443 # web
];
allowedUDPPorts = [
80 # web
443 # web
51820 # wireguard
];
# interfaces.wg0 = {
# allowedTCPPorts = [
# 2049
# 61208 # foo
# ];
# };
};
};
environment.systemPackages = with pkgs; [ goaccess xd nyx ];
programs = {
mtr.enable = true;
fuse.userAllowOther = true;
};
security.acme.defaults.email = "webmaster@szczepan.ski";
security.acme.acceptTerms = true;
services = {
fail2ban = {
enable = true;
jails.DEFAULT = ''
bantime = 7d
'';
jails.sshd = ''
filter = sshd
maxretry = 4
action = iptables[name=ssh, port=ssh, protocol=tcp]
enabled = true
'';
};
borgbackup.jobs.home = rec {
compression = "auto,zstd";
encryption = {
mode = "repokey-blake2";
passphrase = secrets.borg-key;
};
extraCreateArgs =
"--stats --verbose --checkpoint-interval 600 --exclude-caches";
environment.BORG_RSH = "ssh -i /home/alex/.ssh/id_borg_rsa";
paths = [ "/home/alex" "/var/lib" ];
repo = secrets.borg-repo;
startAt = "daily";
prune.keep = {
daily = 7;
weekly = 4;
monthly = 6;
};
extraPruneArgs = "--save-space --stats";
exclude = [ "/home/alex/.cache" ];
};
};
# Limit stack size to reduce memory usage
systemd.services.fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
system.stateVersion = "22.05";
}